CVE-2023-28121: Critical Vulnerability Patched in WooCommerce Payments – What You Need to Know

On March 22, 2023, a vulnerability was discovered within WooCommerce Payments that, if exploited, could permit unauthorized admin access to impacted stores. We immediately deactivated the impacted services and mitigated the issue for all websites hosted on WordPress.com, Pressable, and WPVIP.

The vulnerability was reported by Michael Mazzolini of GoldNetwork, who was conducting white-hat testing for us through our HackerOne program. As soon as the vulnerability was reported, we began an investigation to ascertain whether any data had been exposed or if the vulnerability had been exploited. We currently have no evidence of the vulnerability being used outside of our own security testing program. We shipped a fix and worked with the WordPress.org Plugins Team to auto-update sites running WooCommerce Payments 4.8.0 through 5.6.1 to patched versions. The update is currently being automatically rolled out to as many stores as possible.

Because this vulnerability also had the potential to impact WooPay, a new payment checkout service in beta testing, we have temporarily disabled the beta program.

I have WooCommerce Payments installed. What actions do I need to take?
If your website is hosted on WordPress.com, your store is in the process of being updated or has already been updated to remove the vulnerability.

All websites with WooCommerce Payments 4.8.0 and higher installed and activated on their site, that are not hosted on WordPress.com and which have not updated to a patched version (see below), are still potentially vulnerable to this issue. Here’s how to make sure you have the latest version:​​

1. From your WP Admin dashboard, click the Plugins menu item and look for WooCommerce Payments in your list of plugins.
2. The version number should be displayed in the Description column next to the plugin name. If this number matches any of the patched versions listed below, no further action is needed.
3. If a new version is available for download, you should see a notice guiding you to update WooCommerce Payments — please go ahead and do so.

Once you’re running a secure version, we recommend checking for any unexpected admin users or posts on your site. If you find any evidence of unexpected activity, we suggest:

1. Updating the passwords for any Admin users on your site, especially if they reuse the same passwords on multiple websites.
2. Rotating any API keys used on your site, including the WooCommerce API keys used on your site. Here’s how to update your WooCommerce API keys. For resetting other keys, please consult the documentation for those specific plugins or services.

**How do I know if my version is up-to-date?
**Below you can find the full list of patched versions of WooCommerce Payments. If you are running a version of WooCommerce Payments that is not on this list, please update to one of these versions immediately.

Patched WooCommerce Payments Versions

4.8.2

4.9.1

5.0.4

5.1.3

5.2.2

5.3.1

5.4.1

5.5.2

5.6.2

5.7.0 and above

Has my data been compromised?
At this time we have no evidence that the vulnerability was exploited beyond identifying it in our own security testing program. We will continue to investigate, and if we discover any new information we will update this post.

Which passwords do I need to change?
It’s unlikely that your password was compromised as it is hashed.

WordPress user passwords are hashed using salts, which means the resulting hash value is very difficult to crack. This salted hash approach protects your password as an admin user, and also the passwords of any other users on your site, including customers. While it is possible the hashed version of your password stored in your database may have been accessed through this vulnerability, the hash value should be indiscernible and still protect your passwords from unauthorized use.

Note that our guidance on passwords assumes that your site is using the standard WordPress password management for users. Depending on the plugins you’ve installed on your site you may have passwords or other sensitive information stored in less secure ways.

If any of the Administrator users on your site might have reused the same passwords on multiple websites, we recommend you update those passwords in case their credentials have been compromised elsewhere.

We also recommend changing any private or secret data stored in your WordPress/WooCommerce database. This may include API keys, public/private keys for payment gateways, and more, depending on your particular store configuration. Here’s how to update your WooCommerce API key. For resetting other keys, please consult the documentation for those specific plugins.

I’m a service provider, developer, or agency. Should I alert my WooCommerce merchants?
We encourage anyone who supports or develops for other WooCommerce merchants to share this information and to make sure that their clients who have WooCommerce Payments installed are using the most updated version of WooCommerce Payments.

I’m a merchant. Do I need to contact my customers?
We do not believe any store or customer data was compromised as a result of this vulnerability. If we have any reason to think this is not the case, we will contact you via email directly.

Is WooCommerce still safe to use?
Yes. Identifying a new vulnerability is uncommon, however it still can arise sometimes. When it does, we work diligently to track and patch any vulnerabilities as quickly as possible. And we strive to investigate, act, and communicate with our merchants and customers as quickly as possible.

I have other questions.
If you have any further concerns or questions regarding this issue, our team of Happiness Engineers is on hand to help – open a support ticket.

March 27, 2023 UPDATE
Since posting about the WooCommerce Payments vulnerability last week, we have been in touch with a few customers who have reported potential exploits to their WooCommerce stores. We’re investigating each of those reports to better understand what has taken place, and we’re working directly with impacted customers to help them secure their shops.

We continue to encourage you to reach out and open a ticket with Woo’s support team if you believe your store was impacted.